Pages

July 15, 2013

Non-Standard Way to Get Inaccessible Data from iOS

In the wake of my speech at Positive Hack Days, I would like to share information I got exploring a daemon configd on iOS 6 MACH. As you know, iOS gives little information about Wi-Fi connection status. Basically, Public API allows getting SSID, BSSID, adapter network settings and that's all. And what about encryption mode? Signal power? You can look under the cut for more information on how to get such data without Private API and jailbreaking.

Now I must apologize for posting so many source codes. To begin with, let us recall how it was earlier, in iOS 5.*. Then you could use Apple System Log facility to get the system messages that are displayed when connecting to a network. The encryption mode and signal power data appeared in the messages. And you could get them this way:

But, as Apple usually does, the company closed the access to the system messages in ASL once it knew about them. So we had to find a new way to get these data. The question was stated differently: how can you get these data in Mac OS and iOS?

First of all, you can use scutil, which allows getting the system configuration data including the information we need. Testing jailbroken iPhone on iOS 6 proved that the tool works quite well. For me it was a clue, and I started to look for a way to reach SystemConfiguration on iOS.

Everything's fine. The result returns. So there's no blocks, only formal Apple's restrictions, which won't allow passing validation in App Store. Anyways, why don't we write a piece of the library by our own.

The source code was easy to be found: it was a part of the daemon configd. The most interesting stuff begins when reading description of SCDynamicStoreCopyValue.

Now you have two options — the way of a common person and the way of the Jedi. You can run mig on the file config.defs and get the codes to be entered into the project. But unfortunately we did not discover the file during the research so we had to do some reverse engineering :) However, Dmitry Sklyarov did show his jedi skills and managed to restore the process of sending the request to the MACH port, configd. So the method was completely restored.

The data we needed were located in the key @«Setup:/Network/Interface/en0/AirPort».

So we have implemented the part SystemConfiguration.framework on our own and got the data without jailbreaking and illegal use of libraries. The interesting thing is that there are more than 100 open MACH ports with various names in iOS 6. I guess it sets the stage for researches. Unfortunately, for the time being I cannot say, whether such code can be used in App Store, but it is worth trying anyway.